Cybersecurity of 15 Wisconsin Political Sites Graded at CypherCon

  MILWAUKEE, WI - 03/27/2017 (PRESS RELEASE JET)

With rumors of Russian hackers infiltrating political campaigns in the news, how easy would it be for hackers to exploit Wisconsin politicians too?  That is the question that political cybersecurity firm Cybertical will answer at CypherCon, a computer security convention coming to Milwaukee this Thursday and Friday. 

“Cybertical examines political web sites for attributes that might attract a hacker’s attention, and then issues letter grades based on their apparent safety,” said Cybertical founder Jonathan Lampe.  “There is no hacking involved.  Instead we look for publicly-available tell-tale signs that security experts use to get an initial read on site security.”

To prepare for CypherCon, Cybertical analyzed the web sites of 15 prominent Wisconsin politicians and political organizations and graded their apparent cybersecurity from A to F.  

The two sites that Cybertical rated as most hacker-friendly were Democratic Senator Tammy Baldwin’s site (grade: D+) and Republican Congressman Jim Sensenbrenner’s site (grade: F). 

“Both of the low-grade sites run Wordpress, an easy-to-use web site builder with questionable security,” noted Lampe.  “It’s possible to secure Wordpress, but both of these sites are running insecure Wordpress configurations.  In Baldwin’s case, her site publishes a public list of more than 20 usernames that can sign onto the site, including what appears to be an administrative username.  In Sensenbrenner’s case, his site appears to be running an ancient version of Wordpress that contains dozens of vulnerabilities.” 

Slightly better marks were secured by four Republican web sites: Governor Scott Walker (grade: C+), Senator Ron Johnson (grade: C), state Republicans (grade: C) and Lowell Holtz (grade: C; technically non-partisan but supported by the state Republican party). 

“The C-graded sites generally ran up-to-date software and most required the use of secure HTTPS connections,” said Lampe.  “However they still all lost points by publishing too much information about the usernames available on the site or the environment under which they ran – all valuable information to potential hackers.” 

Even better marks were achieved by the sites of six representatives and the state’s top education officer: State Superintendent Tony Evers (grade: B+; technically non-partisan but supported by the state Democratic party), Republican US Representatives Mike Gallagher (grade: B+), Sean Duffy (grade: B), Glenn Grothman (grade: B), and Paul Ryan (grade: B), and Democratic US Representatives Ron Kind (grade: B+) and Gwen Moore (B). 

“The B-graded sites basically ran partially-secured instances of Wordpress or used a commercial website builder,” said Lampe.  “Despite precautions, sites carry some risk when using a well-known site builder, since a vulnerability discovered elsewhere could quickly be exploited on another site built with the same software.”

Top marks were achieved by two Democratic sites: US Representative Mark Pocan (grade: A-) and state Democrats (grade: A-).  

“These were both custom-built sites that do not appear to give would-be hackers many hints as to their origin or weak points,” said Lampe.  “If I was a hacker who wanted to mess with Wisconsin, I would certainly look for easier targets than these.” 

Nonetheless, Lampe noted that none of the Wisconsin sites he studied achieved a perfect grade.

“To earn Cybertical’s perfect 4.0, a political site would need to avoid revealing information about itself and the users that updated it, run current software and require secure HTTPS connections.  Unfortunately, none of the 15 Wisconsin political sites Cybertical analyzed is quite there yet.”

Complete details of the grades achieved by Wisconsin political sites will be revealed to area computer security experts at Milwaukee’s CypherCon convention, which runs this Thursday and Friday (March 30-31) at Discovery World. 

An open source edition of the “PoliticalSiteSecurity” (or “pScan”) scanning tool used to examine all the graded sites will also be released to the public at the same time.  (Release location: https://github.com/Cybertical)

“I wrote a new security scanner last year to help Cybertical inspect the cybersecurity fitness of US Senatorial campaigns, since I did not have time to grade sixty-seven web sites by hand,” said Lampe.  “The new scanner does the work security researchers used to have to do by hand, and releasing the scanner publicly will let other security researchers use and improve the scanner too.”

About Cybertical/Lampe:

Cybertical was founded as a research and consultancy arm of Wisconsin-based FTC, LLC in 2016 by Jonathan Lampe.  With computer science and business management degrees from the University of Wisconsin-Madison and Northern Illinois University, Lampe has served as a credentialed (GSNA, GCIA, CISSP) security expert since 2001, and has designed several applications used to secure sensitive corporate and government data.  More recently, he developed security training programs for the InfoSec Institute, and began researching political campaign security for that company in 2015.  Lampe’s findings on the cybersecurity on US presidential campaign sites were covered nationally by the Associated Press, Politico, and IT publications, and were followed by substantial improvements in candidate site security.  In 2016 Cybertical published its first research, a paper that covered the cybersecurity of 67 different US Senatorial campaigns.  Cybertical currently offers four main services: 1) reports/presentations on a wide range of candidates for public consumption 2) “perimeter walks” that use non-invasive techniques to detail the apparent “hacker attractiveness” of selected sites, 3) “simulated attacks (a.k.a. “penetration tests”) that involve “ethical hacking” of wholly owned sites and 4) “security contacts” that allows politicians to outsource internal and external security questions to Cybertical as their expert in the field.

About CypherCon:

CypherCon bills itself as “Wisconsin’s Hacker Conference” and is in its second year.  Started and run by Milwaukee computer security expert Michael Goetzman, this year’s conference features 25 different computer security speakers and is sponsored by security companies such as PhishLine, SecureWorks, Protiviti, Nexum, RSA and FireEye and large local employers such as American Family Insurance and Kohl’s. 

https://youtu.be/dn6Ahv6tEjY